Extracted

• • Target

    e4d717852d34194e02b28288e131ce4f5f50ea46ede680ff91e7ba23a9fffb4f

  • Size

    1.8MB

  • MD5

    43dc13ccffcf71d6f8c44a8e565d451b

  • SHA1

    cd7efd85bdc8f731048bbfcf6eca9f77fe67a984

  • SHA256

    e4d717852d34194e02b28288e131ce4f5f50ea46ede680ff91e7ba23a9fffb4f

  • SHA512

    5f9fa5483b349744bb53c2fd16b35ad4f0967fa9ba36ca07da165619002ae71bd7bf3cc145b40dc8232599850fd47bd2d92e5c6bc5378ca1e7e455cc582f8f39

  • SSDEEP

    49152:pzhnMGQfXUd4zYe1vqZ5J9PRb++R7ZOCpLjcY:pF3Qfk6ElPZZZpLA

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2